1--- 2layout: "api" 3page_title: "/sys/mounts - HTTP API" 4sidebar_title: "<code>/sys/mounts</code>" 5sidebar_current: "api-http-system-mounts" 6description: |- 7 The `/sys/mounts` endpoint is used manage secrets engines in Vault. 8--- 9 10# `/sys/mounts` 11 12The `/sys/mounts` endpoint is used manage secrets engines in Vault. 13 14## List Mounted Secrets Engines 15 16This endpoints lists all the mounted secrets engines. 17 18| Method | Path | 19| :--------------------------- | :--------------------- | 20| `GET` | `/sys/mounts` | 21 22### Sample Request 23 24``` 25$ curl \ 26 --header "X-Vault-Token: ..." \ 27 http://127.0.0.1:8200/v1/sys/mounts 28``` 29 30### Sample Response 31```json 32{ 33 "aws/": { 34 "type": "aws", 35 "description": "AWS keys", 36 "config": { 37 "default_lease_ttl": 0, 38 "max_lease_ttl": 0, 39 "force_no_cache": false, 40 "seal_wrap": false 41 } 42 }, 43 "sys/": { 44 "type": "system", 45 "description": "system endpoint", 46 "config": { 47 "default_lease_ttl": 0, 48 "max_lease_ttl": 0, 49 "force_no_cache": false, 50 "seal_wrap": false 51 } 52 }, 53 "data": { 54 "aws/": { 55 "type": "aws", 56 "description": "AWS keys", 57 "config": { 58 "default_lease_ttl": 0, 59 "max_lease_ttl": 0, 60 "force_no_cache": false, 61 "seal_wrap": false 62 } 63 }, 64 "sys/": { 65 "type": "system", 66 "description": "system endpoint", 67 "config": { 68 "default_lease_ttl": 0, 69 "max_lease_ttl": 0, 70 "force_no_cache": false, 71 "seal_wrap": false 72 } 73 }, 74 } 75} 76``` 77 78`default_lease_ttl` or `max_lease_ttl` values of 0 mean that the system defaults 79are used by this backend. 80 81## Enable Secrets Engine 82 83This endpoint enables a new secrets engine at the given path. 84 85| Method | Path | 86| :--------------------------- | :--------------------- | 87| `POST` | `/sys/mounts/:path` | 88 89### Parameters 90 91- `path` `(string: <required>)` – Specifies the path where the secrets engine 92 will be mounted. This is specified as part of the URL. 93 94 !> **NOTE:** Use ASCII printable characters to specify the desired path. 95 96- `type` `(string: <required>)` – Specifies the type of the backend, such as 97 "aws". 98 99- `description` `(string: "")` – Specifies the human-friendly description of the 100 mount. 101 102- `config` `(map<string|string>: nil)` – Specifies configuration options for 103 this mount; if set on a specific mount, values will override any global 104 defaults (e.g. the system TTL/Max TTL) 105 106 - `default_lease_ttl` `(string: "")` - The default lease duration, specified 107 as a string duration like "5s" or "30m". 108 109 - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a 110 string duration like "5s" or "30m". 111 112 - `force_no_cache` `(bool: false)` - Disable caching. 113 114 - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys 115 that will not be HMAC'd by audit devices in the request data object. 116 117 - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys 118 that will not be HMAC'd by audit devices in the response data object. 119 120 - `listing_visibility` `(string: "")` - Specifies whether to show this mount 121 in the UI-specific listing endpoint. Valid values are `"unauth"` or 122 `"hidden"`. If not set, behaves like `"hidden"`. 123 124 - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers 125 to whitelist and pass from the request to the plugin. 126 127 - `allowed_response_headers` `(array: [])` - Comma-separated list of headers 128 to whitelist, allowing a plugin to include them in the response. 129 130- `options` `(map<string|string>: nil)` - Specifies mount type specific options 131 that are passed to the backend. 132 133 *Key/Value (KV)* 134 - `version` `(string: "1")` - The version of the KV to mount. Set to "2" for mount 135 KV v2. 136 137Additionally, the following options are allowed in Vault open-source, but 138relevant functionality is only supported in Vault Enterprise: 139 140- `local` `(bool: false)` – Specifies if the secrets engine is a local mount 141 only. Local mounts are not replicated nor (if a secondary) removed by 142 replication. 143 144- `seal_wrap` `(bool: false)` - Enable seal wrapping for the mount, causing 145 values stored by the mount to be wrapped by the seal's encryption capability. 146 147### Sample Payload 148 149```json 150{ 151 "type": "aws", 152 "config": { 153 "force_no_cache": true 154 } 155} 156``` 157 158### Sample Request 159 160``` 161$ curl \ 162 --header "X-Vault-Token: ..." \ 163 --request POST \ 164 --data @payload.json \ 165 http://127.0.0.1:8200/v1/sys/mounts/my-mount 166``` 167 168## Disable Secrets Engine 169 170This endpoint disables the mount point specified in the URL. 171 172| Method | Path | 173| :--------------------------- | :--------------------- | 174| `DELETE` | `/sys/mounts/:path` | `204 (empty body) ` | 175 176### Sample Request 177 178``` 179$ curl \ 180 --header "X-Vault-Token: ..." \ 181 --request DELETE \ 182 http://127.0.0.1:8200/v1/sys/mounts/my-mount 183``` 184 185## Read Mount Configuration 186 187This endpoint reads the given mount's configuration. Unlike the `mounts` 188endpoint, this will return the current time in seconds for each TTL, which may 189be the system default or a mount-specific value. 190 191| Method | Path | 192| :--------------------------- | :--------------------- | 193| `GET` | `/sys/mounts/:path/tune` | 194 195### Sample Request 196 197``` 198$ curl \ 199 --header "X-Vault-Token: ..." \ 200 http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune 201``` 202 203### Sample Response 204 205```json 206{ 207 "default_lease_ttl": 3600, 208 "max_lease_ttl": 7200, 209 "force_no_cache": false 210} 211``` 212 213## Tune Mount Configuration 214 215This endpoint tunes configuration parameters for a given mount point. 216 217| Method | Path | 218| :--------------------------- | :--------------------- | 219| `POST` | `/sys/mounts/:path/tune` | 220 221### Parameters 222 223- `default_lease_ttl` `(int: 0)` – Specifies the default time-to-live. This 224 overrides the global default. A value of `0` is equivalent to the system 225 default TTL. 226 227- `max_lease_ttl` `(int: 0)` – Specifies the maximum time-to-live. This 228 overrides the global default. A value of `0` are equivalent and set to the 229 system max TTL. 230 231- `description` `(string: "")` – Specifies the description of the mount. This 232 overrides the current stored value, if any. 233 234- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated 235 list of keys that will not be HMAC'd by audit devices in the request data 236 object. 237 238- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated 239 list of keys that will not be HMAC'd by audit devices in the response data 240 object. 241 242- `listing_visibility` `(string: "")` - Specifies whether to show this mount in 243 the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`. 244 If not set, behaves like `"hidden"`. 245 246- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers 247 to whitelist and pass from the request to the plugin. 248 249- `allowed_response_headers` `(array: [])` - Comma-separated list of headers 250 to whitelist, allowing a plugin to include them in the response. 251 252### Sample Payload 253 254```json 255{ 256 "default_lease_ttl": 1800, 257 "max_lease_ttl": 3600 258} 259``` 260 261### Sample Request 262 263``` 264$ curl \ 265 --header "X-Vault-Token: ..." \ 266 --request POST \ 267 --data @payload.json \ 268 http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune 269``` 270